CVE-2026-2412 Overview
The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the merged_question parameter in all versions up to, and including, 10.3.5. This vulnerability arises from insufficient sanitization of user-supplied input before being used in a SQL query. The sanitize_text_field() function applied to the merged_question parameter does not prevent SQL metacharacters like ), OR, AND, and # from being included in the value, which is then directly concatenated into a SQL IN() clause without using $wpdb->prepare() or casting values to integers. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Critical Impact
Authenticated attackers with Contributor-level privileges can exploit this SQL Injection to extract sensitive information from the WordPress database, potentially including user credentials, personal data, and other confidential content.
Affected Products
- Quiz and Survey Master (QSM) WordPress plugin versions up to and including 10.3.5
- WordPress installations using the vulnerable QSM plugin versions
- Any site with Contributor-level or higher user accounts enabled
Discovery Timeline
- 2026-03-23 - CVE-2026-2412 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-2412
Vulnerability Analysis
This SQL Injection vulnerability exists within the Quiz and Survey Master plugin's question merging functionality. The root issue lies in how the plugin processes the merged_question parameter through its REST API endpoint. While the plugin developers attempted to sanitize user input using WordPress's sanitize_text_field() function, this approach is fundamentally inadequate for preventing SQL Injection attacks.
The sanitize_text_field() function is designed to remove unwanted characters for display purposes—it strips HTML tags, removes extra whitespace, and encodes special characters. However, it does not filter SQL metacharacters such as ), OR, AND, #, and other characters that can manipulate SQL query logic. This mismatch between the sanitization method and the security requirement creates an exploitable condition.
An authenticated attacker with at least Contributor-level access can craft malicious input containing SQL metacharacters that break out of the intended IN() clause context and inject arbitrary SQL statements. This enables UNION-based or boolean-based blind SQL Injection techniques to extract data from any table in the database accessible to the WordPress database user.
Root Cause
The vulnerability stems from improper input validation and insecure database query construction. The vulnerable code in class-qsm-questions.php accepts the merged_question parameter and directly concatenates it into a SQL IN() clause. The proper approach would have been to use WordPress's $wpdb->prepare() method with parameterized queries, or to cast all values to integers before inclusion in the query. The reliance on sanitize_text_field() for SQL-related security demonstrates a misunderstanding of the function's intended purpose.
Attack Vector
The attack is network-based and requires authentication with Contributor-level access or above. An attacker must be able to make authenticated requests to the plugin's REST API endpoint that handles question merging operations. The attacker can inject SQL metacharacters through the merged_question parameter, breaking out of the IN() clause and appending malicious SQL queries. Since no user interaction is required beyond the attacker's own actions, exploitation can be automated once valid credentials are obtained.
The vulnerability can be exploited through the REST API endpoint defined in rest-api.php. Technical details are available in the WordPress Class QSM Questions Code and WordPress REST API Code.
Detection Methods for CVE-2026-2412
Indicators of Compromise
- Unusual database queries containing SQL metacharacters in web server or application logs
- Unexpected patterns in the merged_question parameter values in QSM plugin logs
- Evidence of data exfiltration attempts through error-based or time-based SQL Injection techniques
- Anomalous REST API requests to QSM endpoints from Contributor-level accounts
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL Injection patterns in requests targeting QSM REST API endpoints
- Monitor WordPress activity logs for unusual API requests from users with Contributor or higher roles
- Deploy database activity monitoring to detect anomalous query patterns or data access
- Review access logs for repeated requests with varying SQL metacharacters in parameters
Monitoring Recommendations
- Enable detailed logging for the Quiz and Survey Master plugin REST API endpoints
- Configure alerts for database errors that may indicate SQL Injection attempts
- Monitor for unusual query execution times that could suggest time-based blind SQL Injection
- Implement real-time alerting on WAF rule violations targeting WordPress plugins
How to Mitigate CVE-2026-2412
Immediate Actions Required
- Update Quiz and Survey Master plugin to version 10.3.6 or later immediately
- Review Contributor and higher-level user accounts for any unauthorized or suspicious accounts
- Audit database access logs for signs of exploitation prior to patching
- Consider temporarily disabling the QSM plugin if an immediate update is not possible
Patch Information
The vulnerability has been addressed in changeset #3486710. The patch modifies the query construction in class-qsm-questions.php and rest-api.php to properly sanitize and prepare SQL statements. Details of the security fixes can be found in the WordPress Changeset #3486710 QSM Questions and WordPress Changeset #3486710 REST API. Additional vulnerability analysis is available from the Wordfence Vulnerability Analysis.
Workarounds
- Restrict Contributor-level access to trusted users only until the patch can be applied
- Implement Web Application Firewall rules to block requests containing SQL metacharacters in QSM parameters
- Temporarily disable the QSM plugin's REST API functionality if feasible
- Use a security plugin to add additional input validation layers for WordPress REST API endpoints
# Configuration example - WAF rule for ModSecurity
# Block SQL injection patterns in QSM plugin parameters
SecRule ARGS:merged_question "@rx (\)|OR|AND|#|--|;|UNION|SELECT)" \
"id:100001,phase:2,deny,status:403,msg:'Potential SQL Injection in QSM merged_question parameter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
